Data Subjects are at the Center of Privacy Law and Compliance
A data subject is an identifiable person whose personal data is regulated by the privacy laws for his nation/state. The term data subject was first broadly used in the EU Data Protection Directive of 1995, and is now the foundation for GDPR. In GDPR, data subjects are referred to as individuals (that reside in the EU) while in CCPA they are referred to as California consumers (California residents).
GDPR specifically defines the data subject as: “an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
Why is the data subject so important to privacy?
- The data subject is granted numerous rights and expectations by GDPR.
- The data subject has ultimate control of their data (detailed in data subject rights).
- Organizations must pay special attention to the information they hold on data subjects; they are expected to have reasonable controls, processes, and policies to ensure that the privacy of the data subject is upheld.
What are typical data subject rights?
- The right to understand what data an organization holds on a person and how it is used (right to access).
- The right to be forgotten or deleted.
- The expectation of reasonable security.
- Right to portability, requesting and moving data from and to service providers.